First let me say, that these blog posts are not meant to be a how-to, but really I am just documenting the path I took. To under take any project or new technology you read about on these pages will require you to do your own research, and possibly a bit of trial and error. But to me that is the fun of this hobby. You design it, you test it, you break it then you fix it. The point isn’t the destination, it is the journey and the learning. If you know little or nothing about networking, IP addresses and the like, I recommend you spend a bunch of time looking at Network Chuck’s videos. I really am unable to give you a deep education on networking in my simple blog.
Second, I have had a bit of a tendency to apply a bigger is better philosophy to my designs, and if I am being honest, I don’t think the investment is always worth the return, at least on paper. Faster CPUs, more memory, faster network connections (like 2.5 gb ethernet or 10 gb ethernet), etc., are really not going to make anything go faster when I am limited by the speed of my cable internet. So please, if you are going to fall into the bigger is better trap (and its REALLY tempting to do this), do it with eyes wide open. My network is WAY over designed. I did it because I could and I could fit it in my budget. But you don’t necessarily need to follow suit. And your home lab will not really be any slower if you decide to go with gigabit ethernet and save a bunch of money.
With the disclaimers out of the way, the picture above is a Netgear R7800 router. For years and years it was the entirety of our home network. It provided firewall, routing, local area network (LAN), WiFi access, domain name service (DNS), you name it. I used to think it was pretty cool that I could a service like OpenDNS to provide all of my DNS services AND internet content filtering for free. When our children were younger we gave them tablets but we wanted to keep them safe on the internet. This is where OpenDNS came in. OpenDNS does filtering by broad categories: gambling, pornography, academic cheating, tobacco, alcohol, etc. You as the parent choose which categories are off limits. If the kids tried to go a website that was blocked, they would get THIS picture and a message saying “Mommy and Daddy say you can’t go here!”
Early on in my home lab journey it became evident to me that networking is really the backbone of a home lab. None of this works without a LAN. And for most home lab situations a wired connection (ethernet) is much preferred over a wireless network connection. Ethernet is generally faster than WiFi, has lower latency and doesn’t suffer radio interference. I also learned that you don’t want your Ring cameras, Amazon Alexa, your kids’ Playstation, your streaming televisions, etc. all on the same network as your home lab equipment. It creates a number of headaches and security risks, that can be solved with VLANs
VLAN stands for virtual local area network. It is a networking function that most all-in-one home routers can’t really do. It requires a special kind of network device called a managed switch. A network switch is a device that connects computers via ethernet or fiber optic cables. In an unmanaged switch, every device connected can communicate with every other device connected to the switch. Essentially all the devices are in the same VLAN. In a managed switch you can define multiple VLANs/network segments, each with their own unique IP address ranges. This effectively allows you to segment one physical network into multiple independent virtual networks. Deciding whether devices in one VLAN can access devices in another VLAN is the job of the router.
With all of this in mind, I tried to turn my Netgear router into a proper home lab network. I downloaded open source software that would expand its functionality (OpenWRT if you are interested). But it became clear that this was not an optimal solution for me. Then I stumbled on this video:
Once I dumped the all-in-one router, I picked up three separate devices to replace it: a firewall/router, a managed switch, and a WiFi access point, along with some Cat 6 ethernet cables to connect everything. I use pfSense, a free and open source, next generation firewall as the software for my firewall/router device. This affords me a number of benefits. First, I can upgrade the individual devices without having to buy a whole new router. Second, I now have the ability to segment my network using VLANs, and with the access point I am using I can create up to 10 different Wifi networks (SSIDs) and each can be tied to a unique VLAN if I choose. Finally, pfSense has many add on programs (free to down load) that can do things like DNS filtering, ad blocking, intrusion detection (IDS)/Intrusion prevention (IPS), VPN routing and more. This makes my firewall/router device a server in its own right that can do a lot more than your typical home router can.
In our home I have six VLANs set up:
- Trusted – which is for my PC and my wife’s PC only,
- Guest – for my kids and any guests
- Television -for our TVs which all use Roku streaming sticks
- IOT – For all of the Ring cameras, the Ring alarm system, and our Alexa devices
- Untrusted – For software and servers that I allow to go out over the public internet (like the server running this blog for instance)
- Management – For reaching the management interfaces for my servers
I set up firewall/routing within pfSense for all of the VLANs. All of the devices on these VLANs can reach the outside internet. But none of the devices can access other devices in other VLANs, with the exception of my “trusted” VLAN. My computer and my wife’s computer can access any device on any VLAN. Otherwise, the router sets up strict boundaries. I have unique SSIDs for the first five VLANs, all with very strong and unique passwords. This means that if someone from the outside manages to hack into my untrusted VLAN (the only one that is publicly exposed), they will not be able to get access to any of the other VLANs. The same is true for the IOT VLAN. If a Ring camera is hacked, the hacker will not be able to access my sensitive information on the trusted VLAN.
Tom from Lawrence Systems is another spectacular content creator for the home lab crowd. He has a very good video on how to set up firewall rules for your VLANs in pfSense
There are two other networking topics worth mentioning: using a virtual private network (or VPN) to access my network from anywhere, securely and how I expose my servers to the public internet. There is a lot of information out there about VPNs, so I won’t dive deep into it here. A VPN is a way to encrypt traffic going in and out of your network to the public internet. These make a lot of sense to me when you are using public WiFi, like in a coffee shop or the airport. It is very easy for bad actors to intercept your signal and steal your identity or hack your computer. But at home, I don’t really see the need for a VPN in every day use. But I do want to be able to access all of my equipment remotely when I am traveling, in order to keep my servers and this website up and running. For me the easiest way to do this without poking holes in my firewall is to use a free, open source product called TailScale. TailScale is an overlay network/VPN that makes using a VPN very easy. Tom Lawrence has several great videos on this subject.
The other topic (and very related really) is how do I expose my servers to the internet? The “standard” procedure is to expose my public IP address to the world and open a port in my firewall to let website traffic into my web server. This is very dangerous as it would open my entire home network to the world and cyber attack. Yes there are measures I could take to mitigate this risk, but its a lot of work. And, there is an easier answer: Cloudflare tunnels. Network Chuck has done an AWESOME video explaining this.
I know this is a difficult topic and I am only scratching the surface in explaining it all. But if you are starting in the home lab/self hosted hobby, these are topics you will need to go deep in. I hope you found my pointers helpful.
Thanks and have fun networking. Feel free to reach out to me if you want to know more.